Anti-Forensics: Techniques, Detection and Countermeasures
Loading...
Authors
Garfinkel, Simson
Subjects
anti-computer forensics
42.zip
cybercrime
EnCase
hacker tools
privacy enhancing tools
42.zip
cybercrime
EnCase
hacker tools
privacy enhancing tools
Advisors
Date of Issue
2007-03
Date
Publisher
Language
Abstract
Computer Forensic Tools (CFTs) allow investigators to recover deleted files, reconstruct an intruder's activities, and gain intelligence about a computer's user. Anti-Forensics (AF) tools and techniques frustrate CFTs by erasing or altering information; creating "chaff" that wastes time and hides information; implicating innocent parties by
planting fake evidence; exploiting implementation bugs in known tools; and by leaving "tracer" data that causes CFTs to
inadvertently reveal their use to the attacker. Traditional AF tools like disk sanitizers were created to protect the privacy
of the user. Anti-debugging techniques were designed to protect the intellectual property of compiled code. Rootkits allow
attackers to hide their tools from other programs running on the same computer. But in recent years there has been an
emergence of AF that directly target CFTs. This paper categorizes traditional AF techniques such as encrypted file
systems and disk sanitization utilities, and presents a survey of recent AF tools including Timestomp and Transmogrify. It
discusses approaches for attacking forensic tools by exploiting bugs in those tools, as demonstrated by the "42.zip"
compression bomb. Finally, it evaluates the effectiveness of these tools for defeating CFTs, presents strategies for their
detection, and discusses countermeasures.
Type
Paper
Description
The 2nd International Conference on i-Warfare and Security
Refereed Conference Paper
Refereed Conference Paper
Series/Report No
Department
Organization
Identifiers
NPS Report Number
Sponsors
Funder
Format
Citation
Garfinkel, S., "Anti-Forensics: Techniques, Detection and Countermeasures", The 2nd International Conference on i-Warfare and Security (ICIW), Naval Postgraduate School, Monterey, CA, March 8-9, 2007. (Acceptance rate: 55%)
Distribution Statement
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.